Taking a look in /var/ossec/logs/alerts I can see there are lots of things registered, no related to the files I modified, but related to ssh login failures, sudo stuff and the like but never get an e-mail with that report.
Thank you very much for your time and support Regards El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com > <javascript:>> wrote: > > Hi > > Does this still apply? > > I have this option enabled: <alert_new_files>yes</alert_new_files> along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> > wrote: > >> > > >> > Hi > >> > Let's see, shouldn't I have to configure on each tag to which > directory > >> > I > >> > want to apply it? as in check_all , directories, realtime and which > >> > directories, or are they global parameters? that's why I included > home > >> > and > >> > root on both of them. > >> > > >> > >> > >> Each option applies to the directories configured in it. > >> > >> > <directories > >> > > >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> > > >> > > >> > >> This checks all of the hashes, owner, and permissions. > >> > >> > <directories realtime="yes" > >> > check_all="yes">/root,/home,/etc</directories> > >> > > >> > >> This does realtime checks of all of the above, and should produce an > >> error because the "/root," "/home," and "/etc" directories are > >> duplicated. > >> Duplication of directories can cause issues, so it's best not to do > >> it. The way to solve this is not to duplicate these directories in the > >> second configuration by not including them in the first. > >> For example: > >> > >> <directories > check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> > >> <directories check_all="yes" > realtime="yes">/root,/home,/etc</directories> > >> > >> Now, if you want to add "report_changes" to /etc, you'll have to > >> remove it from the above configuration. You'll end up with: > >> > >> <directories > check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> > >> <directories check_all="yes" realtime="yes">/root,/home</directories> > >> <directories check_all="yes" realtime="yes" > >> report_changes="yes">/etc</directories> > >> > >> > > >> > Thank you very much > >> > Best Regerds > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.